Closed Bug 642329 Opened 13 years ago Closed 12 years ago

[adbe 2874487] Flash related Plugin Crash [@ _moz_cairo_surface_set_user_data] with null surface | ASSERTION: Cannot create optimized surface: 'Error'

Categories

(Core Graveyard :: Plug-ins, defect)

x86
Windows 7
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED WORKSFORME

People

(Reporter: bc, Unassigned)

References

()

Details

(Keywords: assertion, crash, Whiteboard: [sg:dos?])

Crash Data

Attachments

(1 file)

1. http://www.myspace.com/kartoff
2. Crash in plugin-container with Flash 10.2.152.26

on 2.0.0 total virtual memory quickly hits 2G and quickly fluctuates up to 4G and back down with

ASSERTION: Cannot create optimized surface: 'Error', file c:/work/mozilla/builds/2.0.0/mozilla/dom/plugins/PluginInstanceChild.cpp, line 2516 repeated about 1700 times.

on 1.9.2 it hits almost 8G and I got a funny break point in RealBreak() and a bunch of urls in the console like:

http://www.myspace.com/search/Videos?q=%D0%9C%D0%BE%D0%BB%D0%BE%D1%85.%20%D1%80%D0%B5%D0%B6.%20%D0%9C%D0%B0%D1%80%D1%82%D0%B8%D0%BD%20%D0%9F%D0%B0%D1%86%D0%B5%D1%80%D0%B0%0D%0A%0D%0A%D0%98%D0%BD%D0%B4%D1%83%D1%81%D1%82%D1%80%D0%B8%D0%B0%D0%BB%D1%8C%D0%BD%D0%B0%D1%8F%20%D1%8D%D0%BD%D0%B5%D1%80%D0%B3%D0%BE%D1%83%D1%81%D1%82%D0%B0%D0%BD%D0%BE%D0%B2%D0%BA%D0%B0


Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_ACCESS_VIOLATION_READ
Crash address: 0xc
Assertion: Unknown assertion type 0x00000000

Thread 0 (crashed)
 0  xul.dll!_moz_cairo_surface_set_user_data [cairo-surface.c : 706 + 0x3]
    eip = 0x019f4526   esp = 0x0012eeac   ebp = 0x0012eeac   ebx = 0x00000000
    esi = 0x04098618   edi = 0x7c90e920   eax = 0x00000000   ecx = 0x040ffe58
    edx = 0x040ffe58   efl = 0x00210216
    Found by: given as instruction pointer in context
 1  xul.dll!mozilla::gfx::SharedDIBSurface::InitSurface(unsigned int,unsigned int,bool) [SharedDIBSurface.cpp : 85 + 0x16]
    eip = 0x009292aa   esp = 0x0012eeb4   ebp = 0x0012eedc
    Found by: call frame info
 2  xul.dll!mozilla::gfx::SharedDIBSurface::Create(HDC__ *,unsigned int,unsigned int,bool) [SharedDIBSurface.cpp : 57 + 0x13]
    eip = 0x0092919c   esp = 0x0012eee4   ebp = 0x0012eef8
    Found by: call frame info
 3  xul.dll!mozilla::plugins::PluginInstanceChild::CreateOptSurface() [PluginInstanceChild.cpp : 2390 + 0x20]
    eip = 0x007ca759   esp = 0x0012ef00   ebp = 0x0012ef48
    Found by: call frame info
 4  xul.dll!mozilla::plugins::PluginInstanceChild::EnsureCurrentBuffer() [PluginInstanceChild.cpp : 2515 + 0x7]
    eip = 0x007cabe6   esp = 0x0012ef50   ebp = 0x0012efa4
    Found by: call frame info
 5  xul.dll!mozilla::plugins::PluginInstanceChild::ShowPluginFrame() [PluginInstanceChild.cpp : 2914 + 0xa]
    eip = 0x007cbc1d   esp = 0x0012efac   ebp = 0x0012f0f4
    Found by: call frame info
 6  xul.dll!mozilla::plugins::PluginInstanceChild::InvalidateRectDelayed() [PluginInstanceChild.cpp : 3109 + 0x7]
    eip = 0x007ccefe   esp = 0x0012f0fc   ebp = 0x0012f100
    Found by: call frame info
 7  xul.dll!DispatchToMethod<mozilla::plugins::PluginInstanceChild,void ( mozilla::plugins::PluginInstanceChild::*)(void)>(mozilla::plugins::PluginInstanceChild *,void ( mozilla::plugins::PluginInstanceChild::*)(void),Tuple0 const &) [tuple.h : 383 + 0x8]
    eip = 0x007cfccc   esp = 0x0012f108   ebp = 0x0012f108
    Found by: call frame info
 8  xul.dll!RunnableMethod<mozilla::plugins::PluginInstanceChild,void ( mozilla::plugins::PluginInstanceChild::*)(void),Tuple0>::Run() [task.h : 307 + 0x1d]
    eip = 0x007cf50e   esp = 0x0012f110   ebp = 0x0012f124
    Found by: call frame info
 9  xul.dll!MessageLoop::RunTask(Task *) [message_loop.cc : 343 + 0xc]
    eip = 0x01911dbe   esp = 0x0012f12c   ebp = 0x0012f14c
    Found by: call frame info
10  xul.dll!MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const &) [message_loop.cc : 351 + 0xd]
    eip = 0x01911e2e   esp = 0x0012f154   ebp = 0x0012f15c
    Found by: call frame info

ss because this smells.
This renders my browser non-responsive on Mac (Fx4rc) as the memory usage goes up to about 2G and I have to force quit.
The memory use seems bad, but the actual crash looks benign. Do we want to report this as a potentially malicious .swf to Adobe?
Sal (cc'd here) should already be notified. Sal?
Joe thinks we failed to check whether we were able to create the cairo surface in an OOM situation. missing null check?

Don't think this specific signature is scary. Do we get different crashes because of the OOM that look worse?
Whiteboard: [sg:dos?]
gfxASurface::CairoStatus() should return 0 if everything went ok.
This is the only one I've seen in automation. The related socorro signature is
_PR_MD_PR_POLL which is filed as bug 612270 and which had about 1500 crashes in
the last week. 293 are @0x0 | _PR_MD_PR_POLL but 1242 have scattered crash
addresses.
Why do you think this has something to do with _PR_MD_PR_POLL? It doesn't appear to be related.
Just that the url is provided to me from socorro due to a user crashing there and they had that signature.
update crash bugs to critical per guidelines.
Severity: normal → critical
This still occurs with Flash 10.3 on Windows XP/Windows 7.

Charles, is Sal still involved in helping us with Flash related crashes?
Yes Sal is still on the forefront for these issues.  I'll ping him on this one.
i'm here...  the issue is internally referenced in 2874487.
Assignee: nobody → smadayag
Status: NEW → ASSIGNED
Summary: Flash related Plugin Crash [@ _moz_cairo_surface_set_user_data] with null surface | ASSERTION: Cannot create optimized surface: 'Error' → [adbe 2874487] Flash related Plugin Crash [@ _moz_cairo_surface_set_user_data] with null surface | ASSERTION: Cannot create optimized surface: 'Error'
Hit this again on http://www.myspace.com/apollo225 with Windows XP and aurora with the addition of a 

Assertion failure: !entered && i < mLength, at c:\work\mozilla\builds\aurora\mozilla\js\src\jsvector.h:320
Attached file crash report
note the crashing thread does not have flash but the extra dump file flags NPSWF as the plugin in plugin-container.
reproduced with Flash 10.3.181.22 on Firefox 4, beta, aurora, nightly on Windows 7 but not Windows XP.

Sal, do you think this is an Adobe issue or a Firefox issue? If you think this is a Firefox issue, please reassign to the default owner. Thanks.
Crash Signature: [@ _moz_cairo_surface_set_user_data]
i've ask the dev assigned for his assessment.  i'll comment when he posts.
Crash Signature: [@ _moz_cairo_surface_set_user_data]
Crash Signature: [@ _moz_cairo_surface_set_user_data]
Now with Flash 10.3.181.26 only reproducible on Windows 7
OS: Windows XP → Windows 7
reproducible with http://www.barbariki.ru/index.php?page=103 WIndows XP and Windows 7 on Beta, Aurora, Nightly and Flash 10.3.183.5
awesome.  the barbariki URL will make it easier for dev to troubleshoot.  thanks bob...
here are the dev notes:

3.6.18 works flawlesly on this site.  I upgraded to 5.0 and ran into two separate problems.

1. In in-process mode with the plugin, unless the window was wide enough, the menus do not display anything.   If i rollover a menu item or generate an animation, i do not get an updaterect call to draw anything.   Only when the window is resized larger to the menus appear correctly.

2. In out-of-process pl ugin mode, I get a crash but it is in the XUL.dll.  I  don't see anything bad from Flash itself.   The crashing stack with a bad access at 0x0000000c.

>	xul.dll!5a84d3e4() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for xul.dll]	
 	xul.dll!5aaee615() 	
 	xul.dll!5ab29fe0() 	
 	xul.dll!5ae41974() 	
 	xul.dll!5ae47a99() 	
 	xul.dll!5ae4a025() 	
 	xul.dll!5ae4dd33() 	
 	xul.dll!5a7edd46() 	
 	xul.dll!5a7edd6a() 	
 	xul.dll!5a5f5b00() 	
 	xul.dll!5ac15fa5() 	
 	xul.dll!5a7ede4d() 	
 	xul.dll!5a7ede18() 	
 	xul.dll!5a7da7f0() 	
 	xul.dll!5a9cf4ef() 	
 	xul.dll!5a7da785() 	
 	xul.dll!5ae4bd56() 	
 	ntdll.dll!77e6fada() 	
 	KernelBase.dll!7589e58f() 	
 	mozcrt19.dll!67346ffd() 	
 	plugin-container.exe!013b124d() 	
 	plugin-container.exe!013b1402() 	
 	kernel32.dll!76de339a() 	
 	ntdll.dll!77e89ed2()
Since this is most likely a bug in our code, I'll reassign it.
Assignee: smadayag → nobody
Status: ASSIGNED → NEW
dveditz: any reason to keep this hidden anymore? The consensus appears to be this is just a dos and not a security issuue.
opening up.
Group: core-security
Reproducible now with http://www.barbariki.ru/index.php?page=103 with Firefox 7/Windows XP debug and opt builds.	

bp-cb1880b2-07b2-4945-b77b-72ab42110927
http://www.watchfomny.com/Video/United-kindom/Family-Guy/Family-Guy.htm (might be copyright violation) contains the following 

<iframe src='http://www.seeon.tv/embedplayer.php?width=350&height=290360&channel=20796&autoplay=true' frameborder='0' marginheight='0' marginwidth='0' scrolling='no' width='350' height='290360'>

which in a Nightly debug builds with Flasdh 11.0.1.152 results in

###!!! ABORT: Expected SharedDIBSurface!: file c:/work/mozilla/builds/nightly/mozilla/dom/
plugins/ipc/PluginInstanceChild.cpp, line 2751

Operating system: Windows NT
                  5.1.2600 Service Pack 3
CPU: x86
     GenuineIntel family 6 model 44 stepping 2
     1 CPU

Crash reason:  EXCEPTION_BREAKPOINT
Crash address: 0x7c90120e
Assertion: Unknown assertion type 0x00000000

Thread 0 (crashed)
 0  ntdll.dll + 0x120e
    eip = 0x7c90120e   esp = 0x0012ea34   ebp = 0x0012ea38   ebx = 0x00000001
    esi = 0x0423a148   edi = 0x7c90e920   eax = 0x00000000   ecx = 0x00000001
    edx = 0x00000000   efl = 0x00200212
    Found by: given as instruction pointer in context
 1  xul.dll!NS_DebugBreak_P [nsDebugImpl.cpp : 340 + 0x4]
    eip = 0x0188e563   esp = 0x0012ea40   ebp = 0x0012ee58
    Found by: previous frame's frame pointer
 2  xul.dll!mozilla::plugins::PluginInstanceChild::UpdateWindowAttributes(bool) [PluginInstanceChild.cpp : 2751 + 0x17]
    eip = 0x016bcb0f   esp = 0x0012ee60   ebp = 0x0012eec8
    Found by: call frame info
 3  xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectToPlatformSurface(nsIntRect const &,gfxASurface *) [PluginInstanceChild.cpp : 2824 + 0x9]
    eip = 0x016bcd43   esp = 0x0012eed0   ebp = 0x0012eef4
    Found by: call frame info
 4  xul.dll!mozilla::plugins::PluginInstanceChild::PaintRectToSurface(nsIntRect const &,gfxASurface *,gfxRGBA const &) [PluginInstanceChild.cpp : 2951 + 0x14]
    eip = 0x016bcf37   esp = 0x0012eefc   ebp = 0x0012ef88
    Found by: call frame info
 5  xul.dll!mozilla::plugins::PluginInstanceChild::ShowPluginFrame() [PluginInstanceChild.cpp : 3221 + 0x43]
    eip = 0x016bdbc9   esp = 0x0012ef90   ebp = 0x0012f0f0
    Found by: call frame info
 6  xul.dll!mozilla::plugins::PluginInstanceChild::InvalidateRectDelayed() [PluginInstanceChild.cpp : 3353 + 0x7]
    eip = 0x016be281   esp = 0x0012f0f8   ebp = 0x0012f0fc
    Found by: call frame info
 7  xul.dll!DispatchToMethod<mozilla::plugins::PluginInstanceChild,void ( mozilla::plugins::PluginInstanceChild::*)(void)>(mozilla::plugins::PluginInstanceChild *,void ( mozilla::plugins::PluginInstanceChild::*)(void),Tuple0 const &) [
    eip = 0x016c06bc   esp = 0x0012f104   ebp = 0x0012f104
    Found by: call frame info
 8  xul.dll!RunnableMethod<mozilla::plugins::PluginInstanceChild,void ( mozilla::plugins::PluginInstanceChild::*)(void),Tuple0>::Run() [task.h : 307 + 0x1d]
    eip = 0x016bffbe   esp = 0x0012f10c   ebp = 0x0012f120
    Found by: call frame info

Beta and Aurora still show the original _moz_cairo_surface_set_user_data crash. Maybe this abort is related to the original crash. I didn't crash with a Nightly, Aurora or Beta opt builds on XP though. Everything here is Windows XP and Windows 7.
See Bug 700572 for test case that reproduces ABORT: Expected SharedDIBSurface! about 25% of the time.
I last saw this on 12/17 with flash 11.1.102.55.

http://www.super.websnadno.cz/ucivo-a-zajimavosti.html still reproduces

ABORT: Refusing to pointlessly recover alpha: 'aSurface->GetContentType() == gfxASurface::CONTENT_COLOR_ALPHA'

but that is Bug 700572
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: